DeFi

Indexed Finance fell victim to $16M DeFi exploit

  • Decentralized finance protocol Indexed Finance has become the latest victim of an exploit that resulted in $16 million in lost assets.
  • Two of its indexes, DEFI5 and CC10, were the target of the sophisticated attack, which exploited the way index pools are rebalanced
  • The protocol's native NDX token has dropped 30% from $3.35 to $2,31  according to CoinGecko

Decentralized finance protocol Indexed Finance has become the latest victim of an exploit that resulted in $16 million in lost assets.

The attacker exploited this rebalancing mechanism

according to the post-mortem report Indexed uses pools of assets similar to Balancer with different weightings for each token in the pool or index. Two of its indexes, DEFI5 and CC10, were the target of the sophisticated attack, which exploited the way index pools are rebalanced,

The attacker exploited this rebalancing mechanism for the DEFI5 pool by unloading $156 million in flash swaps of the pool tokens UNI, AAVE, COMP, CRV, MKR, and SNX. He manipulated the pool weights by adding a new token SUSHI to control the majority weight of the pool. The malicious contract used all borrowed funds to buy UNI in pieces from the pool. The attacker performed a minimum balance update on the controller, and since UNI had been removed, it was calculated in SUSHI.

The process was repeated several times

The previously purchased UNI was then used to mint new DEFI5, inflating the pool supply by orders of magnitude. The borrowed SUSHI allowed the attackers to mint more DEFI5 at the wildly inflated valuation. They then burned these and made off with the underlying assets. The hacker repeated the process several times before performing the same attack on the CC10 pool and repaying the flash loans.

Security firm PeckShield tweeted that the attacker stole 15 ETH, 226.9K UNI, 7.5K AAVE, 6.4K COMP, 845.8K CRV, 516 MKR, 45.4K SNX, 33.2K LINK, 5.2K YFI, 17.8K UMA, and 131.6K BAT with a total value of approximately $16 million. Indexed stated that it will discuss refunds and how to proceed with the community as it works to fix the vulnerability. The protocol’s native NDX token has dropped 30% from $3.35 to $2.31  according to CoinGecko.

Sign up for our FREE mailing list

Join 12,590 others now and get actionable research and analysis sent directly to your inbox.

Post a Comment

GET YOUR CRYPTO DAILY BRIEF

Delivered daily, straight to your inbox.